TypeEnforcement - Revision historyhttp://selinuxproject.org/w/?title=TypeEnforcement&action=history
Revision history for this page on the wikienMediaWiki 1.10.4Tue, 31 Mar 2015 20:46:10 GMTJaxelson at 20:25, 31 August 2010http://selinuxproject.org/w/?title=TypeEnforcement&diff=1019&oldid=prev
<p></p>
<table border='0' width='98%' cellpadding='0' cellspacing='4' style="background-color: white;">
<tr>
<td colspan='2' width='50%' align='center' style="background-color: white;">←Older revision</td>
<td colspan='2' width='50%' align='center' style="background-color: white;">Revision as of 20:25, 31 August 2010</td>
</tr>
<tr><td colspan="2" align="left"><strong>Line 1:</strong></td>
<td colspan="2" align="left"><strong>Line 1:</strong></td></tr>
<tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;">''See Also: [[NB TE|Type Enforcement (Notebook)]]''</td></tr>
<tr><td colspan="2">&nbsp;</td><td>+</td><td style="background: #cfc; font-size: smaller;"></td></tr>
<tr><td> </td><td style="background: #eee; font-size: smaller;">Type enforcement is the primary access control mechanism in SELinux. For an access to succeed, it must be allowed by type enforcement rules, at a minimum. The other mechanisms, such as roles, are used to constrain what access is allowed.</td><td> </td><td style="background: #eee; font-size: smaller;">Type enforcement is the primary access control mechanism in SELinux. For an access to succeed, it must be allowed by type enforcement rules, at a minimum. The other mechanisms, such as roles, are used to constrain what access is allowed.</td></tr>
<tr><td> </td><td style="background: #eee; font-size: smaller;"></td><td> </td><td style="background: #eee; font-size: smaller;"></td></tr>
</table>Tue, 31 Aug 2010 20:25:29 GMTJaxelsonhttp://selinuxproject.org/page/Talk:TypeEnforcementChrisPeBenito: New page: Type enforcement is the primary access control mechanism in SELinux. For an access to succeed, it must be allowed by type enforcement rules, at a minimum. The other mechanisms, such as r...http://selinuxproject.org/w/?title=TypeEnforcement&diff=790&oldid=prev
<p>New page: Type enforcement is the primary access control mechanism in SELinux. For an access to succeed, it must be allowed by type enforcement rules, at a minimum. The other mechanisms, such as r...</p>
<p><b>New page</b></p><div>Type enforcement is the primary access control mechanism in SELinux. For an access to succeed, it must be allowed by type enforcement rules, at a minimum. The other mechanisms, such as roles, are used to constrain what access is allowed.<br />
<br />
Type enforcement is an access control system which makes decisions on if an access is allowed based on the type of the source of the access and type of the target of the access. They are also referred to as the subject and object. The subject is an active entity (a process) performing an access. An object, such as a file, directory, or another process, is an entity being accessed. For example, when vim opens a file to be edited, the subject is the vim process and the object is the file.<br />
<br />
As discussed in [[BasicConcepts]], a type is a security attribute. Types are an equivalence class, meaning all subjects and objects in the system which have the same security attributes should have the same type. For example, all shared libraries on the system have the same type, ''lib_t'', since they are all equivalent, in terms of security.<br />
<br />
The SELinux security policy contains the type enforcement rules which describe the accesses that are allowed. The SELinux policy is flexible, unlike other systems which have a fixed policy, such as a Bell-LaPadula/Mult-Level security systems. Many security goals can be encoded into the policy, such as integrity and separation. The current Reference Policy primarily protects the integrity of the system, but secondarily provides role separation. The complexity of SELinux policy is not inherent to SELinux or type enforcement, but rather due to Linux being a complex, general purpose operating system.</div>Wed, 04 Nov 2009 16:02:59 GMTChrisPeBenitohttp://selinuxproject.org/page/Talk:TypeEnforcement